Scaling of remote network directory management resources

ABSTRACT

Features are disclosed for facilitating remote management of network directories of organizations by a directory management system. The network directories may change over time, experiencing growth in size and number of current connections, increased latency, reduced performance, and the like. The network directories may also shrink over time, experience fewer connections, etc. Organizations can define scaling policies by which the directory management system can automatically respond to the occurrence of various events, such as changes in the size or usage of the organizations&#39; network directories, by scaling resources associated with the directories. The directory management system can perform various scaling actions on-demand or without requiring additional action by the organizations, thereby reducing the time and effort required by the organizations to monitor their own directories and implement (or request implementation of) changes.

BACKGROUND

Organizations, such as companies and other enterprises, often networktheir computing devices to communicate with each other and withcomputing devices outside of the organization. Network directories, alsoreferred to simply as “directories,” are specialized collections ofinformation about devices, applications, people and other common objectsof computer networks. Organizations with computing networks typicallyuse directories to efficiently locate, organize, administer andotherwise manage the network resources. For example, a user may be addedto a directory and associated with particular credentials. Thereafter,the user may be authenticated by comparing user-supplied credentials(e.g., obtained during a login procedure) to those in the directory.Information about what the user is authorized to do may then beretrieved from the directory. As another example, individual computers,printers and other devices that are part of a network environment may belisted in a directory, and applications or users may look up a list ofavailable devices in the directory and obtain information for accessingthem (e.g., names, addresses, etc.).

Organizations often utilize directory management services to create andmaintain their directories. A directory management service may beconfigured to create a directory in a data center operated by theorganization (e.g., on-premises) or in a remote network (e.g.,off-premises), depending on the organization's business needs. Thenumber of objects in the directory, the number of concurrent connectionsto the directory, and other factors that affect directory may changeover time. For example, if an organization adds new employees, thedirectory management service may create objects in the directory foreach of the new employees and each device used by the new employees.Additional connections may also be established with the directory whilethe new employees are using their devices.

BRIEF DESCRIPTION OF DRAWINGS

Embodiments of various inventive features will now be described withreference to the following drawings. Throughout the drawings, referencenumbers may be re-used to indicate correspondence between referencedelements. The drawings are provided to illustrate example embodimentsdescribed herein and are not intended to limit the scope of thedisclosure.

FIG. 1 is a block diagram of an illustrative network environmentincluding various regions in which a directory management system maymaintain directories for customer organizations.

FIG. 2 is a diagram of a user interface for configuring automaticresizing of directories.

FIG. 3 is a flow diagram of an illustrative process for managingautomatic resizing of directories.

FIG. 4 is a block diagram of illustrative resized domain controllers ina directory management system.

FIG. 5 is a block diagram of an illustrative addition of domaincontrollers in a directory management system.

FIG. 6 is a block diagram of another illustrative addition of domaincontrollers in a directory management system.

DETAILED DESCRIPTION

Introduction

The present disclosure involves an architecture in which a directorymanagement system that is separate from enterprises and otherorganizational customers (e.g., a cloud-based or other remote directoryservice) can manage the organizations' network directories from off ofthe organizations' premises. The remote directory management system canbe configured by the organizations to automatically scale theorganizations' directories and/or the resources used to manage thedirectories in response to the satisfaction of various criteria orotherwise based on the occurrence of various events. The remotedirectory management system may also or alternatively scale theorganizations' directories and/or the resources used to manage thedirectories on-demand, at the discretion of the organizations.

Some remote directory management services maintain directories ofcustomer organizations in a network environment that includes multiple(e.g., two or more) data centers located throughout a range ofgeographic regions. A remote directory management service may implement,for a particular organization, a domain controller (or some other systemthat responds to security authentication requests, authorizationrequests, and the like) in each of two or more different data centerswithin a region to improve or maximize availability and performance ofthe organization's directory within the region. Over time, anorganization's directory needs may change. For example, as theorganization adds employees, additional objects may be defined withinthe directory for each new employee, for each new device used by theemployees, etc. Additional connections to the directory may also beestablished due to the new employees. As new objects are defined withinthe directory and additional connections are established, the overallperformance of the directory may be negatively affected, particularlywhen the computing system on which the directory is stored or managed(e.g., the domain controller) does not have sufficient resources tosatisfy the demands of the growing directory. In addition, customers mayremove objects from directories and/or reduce the number of concurrentconnections to the directory. For example, when a remote directorymanagement service charges a fee to customer organizations based on thesize of the directory under management or the number of connections tothe directory, organizations may desire to scale down their directoriesin order to save fees, free up resources, etc. Organizations may makeadjustments to their directories and/or the resources used to manage thedirectories in order to maintain or improve directory performance (e.g.,using domain controllers with additional resources sufficient to satisfythe demands of a growing directory), or to maintain or reduce costs andexcess capacity (e.g., using domain controllers with fewer resourcesthat are nevertheless sufficient to satisfy the current and/or expecteddemands of the directory).

Aspects of the present disclosure relate to automatic and on-demandscaling of directories, including changing the computing resourcesresponsible for managing the directories (e.g., the domain controllers)to increase or reduce the available size of the directories. Thedirectories may be scaled by migrating to domain controllers withadditional computing resources sufficient to handle a current orexpected size of a directory, number of connections to the directory,etc. Such scaling may be referred to as “vertical scaling.” A remotedirectory management service can automatically, or at the discretion ofthe organizations, scale the directories for the organizations, therebyreducing the tasks that organizations must typically perform to scaletheir respective directories (e.g., acquiring new hardware; configuringthe operating system and network domain; setting up directoryreplication; etc.). In some embodiments, the automatic scaling can betriggered by the satisfaction of one or more criteria or otherwise bythe occurrence of one or more events, as monitored by the remotedirectory management service. For example, the remote directorymanagement service can monitor the number of objects in anorganization's directory and/or the number of connections to thedirectory. Based on a policy defined or selected by the organization,the remote directory management service can automatically migratemanagement of the organization's directory to a different domaincontroller with additional resources to handle an increase inobjects/connections, or to a domain controller with fewer resources inorder to save costs. In addition to the migration, the remote directoryservice can configure replication and perform any other necessaryprocedures automatically, without additional input or action on the partof the organization subsequent to the initial specification of thescaling policy.

Additional aspects of the present disclosure relate to the automatic oron-demand addition of domain controllers, regions, and the like toincrease the computing resources managing a directory and/or to increasethe size of the geographic region (or the number of individualgeographic regions) in which a directory may be used. Such scaling maybe referred to as “horizontal scaling,” and differs from the verticalscaling described above in that the computing resources managing thedirectory are not necessarily scaled to increase or decrease the numberof directory objects that can be effectively managed, but rather toincrease or decrease the overall availability of the directory. Forexample, a remote directory management service may maintain directoriesof customer organizations in a network environment that includesmultiple (e.g., two or more) data centers in each of multiple geographicregions. The total geographic area serviced by the remote directorymanagement service may be separated into separate regions in order toimprove latency and performance within each region (e.g., by limitingthe scope of the directories under management to a single region). Inorder to further improve performance within a specific region,additional domain controllers may be added for the directory toefficiently support a larger number of concurrent connections. Thus, theconnections can be spread among more domain controllers, therebydecreasing user-perceived latency and improving user-perceivedperformance. As another example, an organization may be a globalorganization or some other organization that spans multiple geographicregions into which management of directories is usually segmented. Byadding additional geographic regions to the area that corresponds to aparticular directory, the directory can be shared across the multiplegeographic regions, effectively increasing the total geographic areacovered by a single directory. As with vertical scaling, horizontalscaling may include the reduction of resources (e.g., removal of domaincontrollers and/or regions) in addition to or instead of the addition ofresources. Moreover, horizontal scaling can be automatically triggeredbased on the satisfaction of organization-specified criteria or theoccurrence of some other event, and the remote directory managementservice can automatically configure domain controllers, set upreplication, and perform other necessary procedures automatically,without additional input or action on the part of the organization.

Although aspects of the embodiments described in the disclosure willfocus, for the purpose of illustration, on specific examples andembodiments of directories, domain controllers, remote directorymanagement services and service area hierarchies, one skilled in the artwill appreciate that the examples and techniques disclosed herein areillustrative only and may be applied to any number of services, process,or applications. Various aspects of the disclosure will now be describedwith regard to certain examples and embodiments, which are intended toillustrate but not limit the disclosure.

Example Directory Management Environment

FIG. 1 shows an example environment in which directory managementfeatures of the present disclosure can be implemented according to someembodiments. As used herein the term “directory” generally refers to anorganized collection of data about users, devices, applications, and/orother common resources of a computer network, such as a corporatenetwork, university network, or some other network. Each resource on acomputer network (or some subset thereof) may be represented as anobject in a directory, and information about a particular resource(e.g., name, address, permissions, etc.) can be stored as attributes ofthat object. Information can be securely stored within or in associationwith the object such that only users with sufficient permissions areable to access, modify, or otherwise use the information. As usedherein, the term “domain controller” refers to a server or othercomputing device or virtual machine (or group of computing devicesand/or virtual machines) that responds to security authenticationrequests (e.g., user logins), authorization requests (e.g., checkinguser permissions to perform some task), and the like using a particularnetwork directory.

A directory management system may maintain directories of customerorganizations in a network environment that includes data centerslocated throughout a geographic area. As shown, a geographic area 100,such as the continental United States, serviced by a directorymanagement system may be divided into various regions 110, 112, 114 and116. Individual regions, such as region 112, may be further divided intovarious zones 120, 122, 124, and so on. Although particular geographicregions and zones will be described, such regions and zones areillustrative only, and are not intended to be limiting. In someembodiments, other regions, zones and the like may be used, or otherdivisions of service areas altogether may be used. The directorymanagement system may implement, for any particular organization, adomain controller in each of two or more different data centers within aregion to improve or maximize availability and performance of theorganization's directory within the region. In addition, the directorymanagement system can automatically scale the organization's directoryand/or the resources used to manage the directory in order to improveavailability and/or user-perceived performance, reduce fees and/orexcess computing resources, and the like as described in greater detailbelow.

The organizations 102 can correspond to various customers of thedirectory management system. Although the term “organization” is usedherein, the features involving such organizations may additionally oralternatively involve any customer or entity having a directory andwishing to use the directory management system to manage access to thedirectory by, e.g., user computing devices 104 of users associated withthe organization. For example, an organization 102A may employ theservices of the directory management system, which may store theorganization's directory 142A in one or more data centers within theregion in which the organization 102A is located, or in which thedirectory 142A is to be used. Users associated with the organization102A (e.g., users with corresponding user information in the directory142A) may use computing devices 104 that connect to the directorymanagement system in order to access the directory 142A forauthentication, authorization, and the like.

The user computing devices 104 can correspond to a wide variety ofcomputing devices, including desktop computing devices, laptop computingdevices, terminal devices, mobile phones, tablet computing devices,media players, wearable computing devices (e.g., smart watches, smarteyewear, etc.), and various other electronic computing devices andappliances having one or more computer processors, computer-readablememory and network-access capabilities. Some user computing devices 104may be associated with a particular organization 102A. For example, anorganization may have various user computing devices 104 that remainon-premises, or that are used off-premises primarily by employees orother users associated with the organization. In some embodiments, someor all of the user computing devices 104 may be separate from anyorganization, such as public computers or home computers that are usedby any number of users to perform various tasks, which may includeaccessing applications using credentials associated with a particularorganization 102A.

The directory management system may have data centers spread across eachregion to manage directories and provide other computing services withinthe respective regions. For example, the directory management system mayhave one or more data centers in each zone, such data centers 130, 132and 134 in zones 120, 122 and 124, respectively, of region 112. The datacenters 130, 132 and 134 may each house many computing devices (e.g.,hundreds or thousands) configured to host or otherwise provide access toapplications, manage directories for separate customer organizations,and/or provide other network-based services and resources. Each domaincontroller 140 may be a single computing device, or it may includemultiple distinct computing devices, such as computer servers, logicallyor physically grouped together to collectively operate as a serversystem. For example, a data center 132 many include a server or group ofservers that that operate as one or more domain controllers 140 fororganizations' directories, including a particular domain controller140A that manages the directory 142A of organization 102A. To improve ormaximize uptime and availability within the region 112, a second domaincontroller 140B can be implemented in a different data center 130 withinthe region 112. Thus, if one domain controller 140A goes offline or isotherwise made unavailable for any reason (e.g., due to a naturaldisaster striking the data center in which the domain controllerphysically resides), the other domain controller 140B will likely remainonline and available to manage use of the directory 142A. Accordingly,the organization's users can continue to perform any computing tasksthat require the authentication, authorization, and other services ofthe directory 142A.

The directory management system may also include one or more autoscaling controllers 150 to monitor directory-related events, operatingconditions, and the like, and to implement automatic scaling ofdirectories and directory management resources, as described in greaterdetail below. The components of directory management system, such as thedomain controllers, the automatic scaling controllers, and the like caneach be implemented as hardware, such as a server computing device, oras a combination of hardware and software. In addition, two or morecomponents of the directory management system be combined on one servercomputing device or separated individually or into groups on severalserver computing devices. In some embodiments, the features and servicesprovided by the directory management system may be implemented as webservices consumable via a communication network. In further embodiments,the features and services are provided by one more virtual machinesimplemented in a hosted computing environment. The hosted computingenvironment may include one or more rapidly provisioned and releasedcomputing resources, which computing resources may include computing,networking and/or storage devices. A hosted computing environment mayalso be referred to as a cloud computing environment.

As will be appreciated, the various computing devices and componentsshown and described herein may communicate with each other and/or withother devices and components via one or more communication networks. Thecommunication networks may be part of a publicly-accessible network oflinked networks, possibly operated by various distinct parties, such asthe Internet. In some embodiments, the communication networks may be orinclude a private network, personal area network, local area network,wide area network, cable network, satellite network, cellular telephonenetwork, etc. or combination thereof.

Setup of Automatic and On-Demand Scaling

FIG. 2 shows an example user interface for setup of automatic andon-demand scaling policies for an organization's directory ordirectories. A system administrator or some other user associated withan organization, such organization 102A shown in FIG. 1, may access thedirectory management system to configure scaling of the organization'sdirectory 142A. Illustratively, the directory management system mayinclude or be associated with a content server that generates andtransmits network-based content pages for managing directories andconfiguring automatic scaling. The content page 200 shown in FIG. 2 isan example of such a content page.

The interface may include separate panels, areas or portions forallowing organizations to configure on-demand scaling 202 and automaticscaling 204. For example, in the on-demand scaling 202 portion, adrop-down list 220 or some other interface control configured to presentmultiple selectable options may be provided to allow the user to selecton-demand scaling actions. In some embodiments, the scaling actions thatthe applications may be authorized to perform include: migrating to alarger or smaller domain controller; adding or removing resourcesto/from an existing domain controller; adding/removing domaincontrollers in a particular zone or region; adding/removing regions foruse with a particular directory; and the like. The user can thaninitiate performance of the scaling action by activating button 222 orperforming some other action to submit the on-demand scaling request.

An automatic scaling policy configuration portion 204 may include alisting of operating parameters and events that may serve as the basisfor automatic scaling of directory-management resources. Users mayspecify criteria pertaining to various operating parameters related tothe directory, including but not limited to: central processing unit(“CPU”) utilization and/or capacity; memory utilization and/or capacity;the number of objects in the directory; the number of concurrentconnections to the domain controller(s) for the directory; domaincontroller latency when responding to a directory-related request; costincurred by the origination per object or per connection over aparticular period of time; total cost incurred by the organization overa particular period of time; and the like. Users may also oralternatively specify particular events that serve to trigger automaticscaling actions. For example, users may wish to have some actionautomatically initiated when an existing domain controller for theorganization's directory goes offline, when certain errors are raised,at certain times of the day or year (e.g., reduce resources at night,add resources during the “login storm” period at the beginning of thework day, or add resources during a busy season); and the like.

A user may select a particular operating parameter or event by, e.g.,activating or de-activating a checkbox 240 or interacting with someother interface control configured to indicate selection or de-selectionof an item. For operating parameters that the user has chosen, the usermay enter some value in input field 242 for the parameter that triggersautomatic scaling. The user may select a particular automatic scalingaction (or group of actions) to perform when the corresponding criterionor event is satisfied. For example, if the operating parameterassociated with selection of checkbox 240 corresponds to the number ofobjects in the directory falling below a threshold, the user may enter avalue for the threshold, such as 10,000. Thereafter, if the automaticscaling controller 150 detects that the number of objects in thisorganization's directory falls below 10,000, the automatic scalingcontroller 150 may initiate the corresponding action selected by theuser (e.g., down-scaling to a smaller and/or lower cost domaincontroller).

A drop-down list 244 or some other interface control configured topresent multiple selectable options may be provided to allow the user toselect automatic scaling actions for individual criteria and events. Insome embodiments, the automatic scaling actions that the applicationsmay be authorized to perform include: migrating to a larger or smallerdomain controller; adding or removing resources to/from an existingdomain controller; adding/removing domain controllers in a particularzone or region; adding/removing regions for use with a particulardirectory; and the like.

When a user configures an automatic scaling policy for an organization'sdirectory, automatic scaling policy information may be stored such thatthe policy information is accessible to one or more automatic scalingcontrollers 150 of the directory management system. For example, thepolicy information may be stored in a data store in the data centers inwhich domain controllers have been or will be implemented for theorganization's directory. Thus, the automatic scaling controllers 150 inthose data centers may monitor the criteria and/or events, and mayefficiently implement the appropriate automatic scaling actions. Domaincontrollers and/or automatic scaling controllers 150 in different datacenters may communicate with each other and exchange informationrelevant to the determination of whether automatic scaling actions areto be implemented. In this way, an automatic scaling controller 150 inone data center may make an accurate determination regarding anautomatic scaling policy based on information from all domaincontrollers using the organization's directory, even if some or all ofthe domain controllers are physically located in different data centers.

Triggering and Implementation of On-Demand and Automatic Scaling Actions

FIG. 3 illustrates a sample process 300 that may be used by thedirectory management system to implement on-demand scaling actions. Inaddition, the process 300 may be used by an automatic scaling controller150 or some other module or component of a directory management systemto monitor changes in various operational parameters and other events,and implement automatic directory scaling actions according toorganization-specified policies. Advantageously, the automatic scalingcontroller 150 may monitor operating parameters and events with respectto the directories of multiple, distinct organizations or othercustomers, and automatically implement scaling actions without requiringmonitoring or other action on the part of the organizations themselves.In this way, the directory management system can provide a dynamic androbust directory management environment that scales directory managementresources based on organization-specified policies regardless of wherethe directories and/or domain controllers are physically located, howbig or small the directories are, the size the geographic area coveredby individual directories, etc. Such a directory management system canprovide organizations with desired cost control measures, and can alsoensure that directory management resources are efficiently utilized.

The process 300 begins at block 302. For example, the process 300 maybegin automatically upon initialization of an automatic scalingcontroller 150 in a data center of the directory management system.

At decision block 304, the directory management system may determinewhether an on-demand scaling action has been requested or initiated byan organization. Illustratively, an administrator, technician, or otheruser associated with an organization may launch a browser application ona user computing device 102 and navigate to the content page 200, shownin FIG. 2, to select a directory scaling action to be performed. If so,the process 300 can proceed to block 314, where applicable scalingactions are determined and then performed at block 316. Otherwise, theprocess 300 can proceed to decision block 306.

At decision block 306, the directory management system may determinewhether an automatic scaling policy has been created, selected,modified, or otherwise indicated for a particular directory or group ofdirectories. Illustratively, an administrator, technician, or other userassociated with an organization may launch a browser application on auser computing device 102 and navigate to the content page 200, shown inFIG. 2, to select or define one or more automatic scaling polices forthe organization's directory. If so, the process 300 may proceed toblock 308; otherwise the process 300 may return to decision block 304 towait for receipt of a policy or on-demand request, proceed to block 310to monitor events and/or operating parameters associated withpreviously-defined polices, or terminate at block 318.

At block 308, information regarding the policy created, selected,modified, or otherwise indicated for a particular directory or group ofdirectories above at block 306 can be stored such that it is accessibleto an automatic scaling controller 150. If an automatic scalingcontroller 150 has been implemented in each data center, then policyconfiguration information may be stored in a data store integrated withor accessible to the automatic scaling controller 150 in the data centerin which a domain controller for the organization's directory is alsolocated. In some embodiments, a single automatic scaling controller 150may be used for multiple (e.g. two or more) or all data centers of thedirectory management system. In additional embodiments, multiple (e.g.,two or more) automatic scaling controllers may be implemented in asingle data center.

At block 310, an automatic scaling controller 150 can monitor theevent(s) and/or operating parameter(s) associated with automatic scalingpolicies. As described above, a directory management system mayimplement a single automatic scaling controller 150 for all datacenters, or one or more automatic scaling controllers 150 for each datacenter. In some embodiments, individual automatic scaling controllers150 can monitor the events and/or operating parameters associated withpolicies that have been previously submitted by organizations havingdirectories managed by domain controllers 140 in the same data center asthe automatic scaling controller 150. For example, the automatic scalingcontroller 150 for a particular data center may communicate with eachdomain controller 140 in the data center. The automatic scalingcontroller 150 may receive periodic or continuous information regardingevents and/or operating parameters associated with previously submittedpolicies (e.g., number of objects in a directory; number of concurrentconnections to the domain controller 140; latency; etc.). In some cases,the automatic scaling controller 150 may perform computations oranalyses using information from the domain controllers 140 in order tomonitor events and/or operating parameters. For example, the automaticscaling controller 150 may perform calculations to determine the costsincurred in certain situations, such as the cost to an organization perdirectory object or per concurrent connection.

At decision block 312, the automatic scaling controller 150 candetermine whether, for any of the policies that the automatic scalingcontroller 150 is responsible for implementing, an event has occurred ora criterion has been satisfied. If such an event has occurred or acriterion has been satisfied, the process 300 may proceed to block 314where the automatic scaling controller 150 can determine the applicablescaling actions (if any) to perform in response to occurrence of theevent or satisfaction of the criterion. FIGS. 4 and 5 illustrateexamples of event/criterion detection and performance of automaticscaling actions. Otherwise, if no event has occurred and no criterionhas been satisfied, the process 300 may return to block 308.

FIG. 4 shows the implementation of replacement domain controllersconfigured to manage larger directories. The organization that owns oris otherwise associated with a directory 142 may have previouslyconfigured an automatic scaling policy (e.g., at block 306 of FIG. 3)specifying that when the number of objects in the organization'sdirectory 142 exceeds a particular threshold, the directory managementservice is to migrate the directory 142 to domain controllers that haveadditional resources to effectively manage the larger directory 142. Asshown, an automatic scaling controller 150 may determine at [A] (andblock 312 of FIG. 3) that the size of the directory 142 exceeds thethreshold, or will exceed the threshold if a requested operation isperformed (e.g., an “add user” request is made to add a user to thedirectory 142). The automatic scaling controller 150 may then (e.g., atblock 316 of FIG. 3) transfer management of the directory 142 from aparticular domain controller 140A (or combination of domain controllers140A and 140B) to a domain controller 140C (or combination of domaincontrollers 140C and 140D) with additional resources to more effectivelymanage larger directories. Illustratively, the directory managementsystem may offer domain controllers in various sizes or capacities, suchas small domain controllers optimized for directories with a smallnumber of objects (e.g., about 1,000 objects), medium domain controllersoptimized for directories with a moderate number of objects (e.g., about10,000 objects), and large domain controllers for directories with alarge number of objects (e.g., about 100,000 objects). The various sizesmay correspond to virtual machine abstractions of the actual hardwarecomputing devices in the data centers of the directory managementsystem. Management of directories may be transferred to domaincontrollers of the next bigger size (or next smaller size), and suchtransfer may involve the physical transfer of directory management toanother device or group of devices, or the logical transfer of directorymanagement to another virtual machine. Such scaling may be referred toas vertical scaling. In some embodiments, the directory managementsystem may add resources to (or remove resources from) existing domaincontrollers in order to implement a scaling policy, rather than movingmanagement of a directory to another physical or virtual machine.Alternatively, the organization may have submitted an on-demand scalingrequest (e.g., at block 304 of FIG. 3) to up-scale or down-scale one ormore domain controllers.

FIG. 5 shows the implementation of additional domain controllers toimprove availability of a directory, rather than to increase the size ofthe directory. Such scaling may be referred to as horizontal scaling.The organization that owns or is otherwise associated with a directory142 may have previously configured an automatic scaling policy (e.g., atblock 306 of FIG. 3) specifying that when the number of connections todomain controllers for a particular directory meets or exceeds athreshold, the directory management service is to add a domaincontroller in the same zone/data center as the domain controller(s)currently using the directory 142 in order to accommodate theconnections and improve overall availability of the directory 142. Asshown, an automatic scaling controller 150 may determine at [A] (andblock 312 of FIG. 3) that the number of connections exceeds thethreshold. The automatic scaling controller 150 may then at [B] (andblock 316 of FIG. 3) automatically implement additional domaincontrollers 140A′ and 104B′ in the same zones or data centers as thedomain controllers 104A and 104B, respectively. In some embodiments, thescaling controller 150 may implement a new domain controller 140C in adifferent data center or zone altogether. Alternatively, theorganization may have submitted an on-demand scaling request (e.g., atblock 304 of FIG. 3) to implement one or more additional domaincontrollers.

FIG. 6 shows another example of the implementation of additional domaincontrollers to improve availability of a directory, rather than toincrease the size of the directory. The horizontal scaling shown in FIG.6 expands the availability of the directory to a different regionaltogether, rather than improving availability within an existingregion. For example, the organization that owns or is otherwiseassociated with a directory 142 may have previously configured anautomatic scaling policy (e.g., at block 306 of FIG. 3) specifying thatwhen the number of connections from a geographic region in which thereis not currently a domain controller for the directory 142 exceeds aparticular threshold, the directory management service is to add adomain controller in the geographic region to accommodate theconnections and improve overall availability of the directory 142. Asshown, an automatic scaling controller 150 may determine at [A] (andblock 312 of FIG. 3) that the number of connections from geographicregion 110 exceeds the threshold. The automatic scaling controller 150may then at [B] (and block 316 of FIG. 3) automatically implement anadditional domain controller 140C in a data center 600 of the geographicregion 110 to more effectively handle the connections from the region110. Alternatively, the organization may have submitted an on-demandscaling request (e.g., at block 304 of FIG. 3) to implement one or moreadditional domain controllers in additional regions.

Terminology

Depending on the embodiment, certain acts, events, or functions of anyof the processes or algorithms described herein can be performed in adifferent sequence, can be added, merged, or left out altogether (e.g.,not all described operations or events are necessary for the practice ofthe algorithm). Moreover, in certain embodiments, operations or eventscan be performed concurrently, e.g., through multi-threaded processing,interrupt processing, or multiple processors or processor cores or onother parallel architectures, rather than sequentially.

The various illustrative logical blocks, modules, routines, andalgorithm steps described in connection with the embodiments disclosedherein can be implemented as electronic hardware, or as a combination ofelectronic hardware and executable software. To clearly illustrate thisinterchangeability, various illustrative components, blocks, modules,and steps have been described above generally in terms of theirfunctionality. Whether such functionality is implemented as hardware, oras software that runs on hardware, depends upon the particularapplication and design constraints imposed on the overall system. Thedescribed functionality can be implemented in varying ways for eachparticular application, but such implementation decisions should not beinterpreted as causing a departure from the scope of the disclosure.

Moreover, the various illustrative logical blocks and modules describedin connection with the embodiments disclosed herein can be implementedor performed by a machine, such as a general purpose processor device, adigital signal processor (DSP), an application specific integratedcircuit (ASIC), a field programmable gate array (FPGA) or otherprogrammable logic device, discrete gate or transistor logic, discretehardware components, or any combination thereof designed to perform thefunctions described herein. A general purpose processor device can be amicroprocessor, but in the alternative, the processor device can be acontroller, microcontroller, or state machine, combinations of the same,or the like. A processor device can include electrical circuitryconfigured to process computer-executable instructions. In anotherembodiment, a processor device includes an FPGA or other programmabledevice that performs logic operations without processingcomputer-executable instructions. A processor device can also beimplemented as a combination of computing devices, e.g., a combinationof a DSP and a microprocessor, a plurality of microprocessors, one ormore microprocessors in conjunction with a DSP core, or any other suchconfiguration. Although described herein primarily with respect todigital technology, a processor device may also include primarily analogcomponents. For example, some or all of the signal processing algorithmsdescribed herein may be implemented in analog circuitry or mixed analogand digital circuitry. A computing environment can include any type ofcomputer system, including, but not limited to, a computer system basedon a microprocessor, a mainframe computer, a digital signal processor, aportable computing device, a device controller, or a computationalengine within an appliance, to name a few.

The elements of a method, process, routine, or algorithm described inconnection with the embodiments disclosed herein can be embodieddirectly in hardware, in a software module executed by a processordevice, or in a combination of the two. A software module can reside inRAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory,registers, hard disk, a removable disk, a CD-ROM, or any other form of anon-transitory computer-readable storage medium. An exemplary storagemedium can be coupled to the processor device such that the processordevice can read information from, and write information to, the storagemedium. In the alternative, the storage medium can be integral to theprocessor device. The processor device and the storage medium can residein an ASIC. The ASIC can reside in a user terminal. In the alternative,the processor device and the storage medium can reside as discretecomponents in a user terminal.

For example, the process 300 described with respect to FIG. 3 may beembodied in a set of executable program instructions stored on one ormore non-transitory computer-readable media, such as one or more diskdrives or solid-state memory devices, of a computing system with whichthe directory management system is associated. When the process 300 isinitiated, the executable program instructions can be loaded intomemory, such as RAM, and executed by one or more processors of thecomputing system. In some embodiments, the computing system may includemultiple computing devices, such as servers, and the process or portionsthereof may be executed by multiple servers, serially or in parallel.

Conditional language used herein, such as, among others, “can,” “could,”“might,” “may,” “e.g.,” and the like, unless specifically statedotherwise, or otherwise understood within the context as used, isgenerally intended to convey that certain embodiments include, whileother embodiments do not include, certain features, elements and/orsteps. Thus, such conditional language is not generally intended toimply that features, elements and/or steps are in any way required forone or more embodiments or that one or more embodiments necessarilyinclude logic for deciding, with or without other input or prompting,whether these features, elements and/or steps are included or are to beperformed in any particular embodiment. The terms “comprising,”“including,” “having,” and the like are synonymous and are usedinclusively, in an open-ended fashion, and do not exclude additionalelements, features, acts, operations, and so forth. Also, the term “or”is used in its inclusive sense (and not in its exclusive sense) so thatwhen used, for example, to connect a list of elements, the term “or”means one, some, or all of the elements in the list.

Disjunctive language such as the phrase “at least one of X, Y, Z,”unless specifically stated otherwise, is otherwise understood with thecontext as used in general to present that an item, term, etc., may beeither X, Y, or Z, or any combination thereof (e.g., X, Y, and/or Z).Thus, such disjunctive language is not generally intended to, and shouldnot, imply that certain embodiments require at least one of X, at leastone of Y, or at least one of Z to each be present.

Unless otherwise explicitly stated, articles such as “a” or “an” shouldgenerally be interpreted to include one or more described items.Accordingly, phrases such as “a device configured to” are intended toinclude one or more recited devices. Such one or more recited devicescan also be collectively configured to carry out the stated recitations.For example, “a processor configured to carry out recitations A, B andC” can include a first processor configured to carry out recitation Aworking in conjunction with a second processor configured to carry outrecitations B and C.

While the above detailed description has shown, described, and pointedout novel features as applied to various embodiments, it can beunderstood that various omissions, substitutions, and changes in theform and details of the devices or algorithms illustrated can be madewithout departing from the spirit of the disclosure. As can berecognized, certain embodiments described herein can be embodied withina form that does not provide all of the features and benefits set forthherein, as some features can be used or practiced separately fromothers. The scope of certain embodiments disclosed herein is indicatedby the appended claims rather than by the foregoing description. Allchanges which come within the meaning and range of equivalency of theclaims are to be embraced within their scope.

What is claimed is:
 1. A directory management system comprising: adomain controller comprising a first computer-readable memory and one ormore physical computing devices configured to executecomputer-executable instructions stored in the first computer-readablememory to at least: respond to network security requests to perform atleast one of authentication or authorization regarding objectsassociated with a network of an organization, wherein the domaincontroller is external to the network of the organization such that thedomain controller communicates with computing devices of theorganization via a different network, and wherein the network securityrequests are received via the different network; and a scalingcontroller comprising a second computer-readable memory and one or morephysical computing devices configured to execute computer-executableinstructions stored in the second computer-readable memory to at least:receive directory scaling policy data from the organization comprising aset of one or more criteria associated with an operating parameter ofthe network directory and a directory scaling action to be taken inresponse to satisfaction of the one or more criteria, wherein thedirectory scaling action comprises: determining to separate a geographicarea, in which the network directory is managed by a set of one or moredomain controllers, into a first portion and a second portion; andadding, to the set of one or more domain controllers managing thenetwork directory, an additional domain controller to manage the networkdirectory in the second portion of the geographic area, wherein anexisting domain controller of the one or more domain controllers managesthe network directory in the first portion of the geographic area;monitor the operating parameter of the network directory; determine,based at least partly on monitoring the operating parameter of thenetwork directory, whether the one or more criteria are satisfied; andin response to determining that the one or more criteria are satisfied,perform the directory scaling action to modify the set of one or moredomain controllers managing the network directory without requiring aninstruction to be received from the organization subsequent to thedirectory scaling policy data.
 2. The directory management system ofclaim 1, wherein at least a portion of the objects associated with thenetwork of the organization represent individual resources of aplurality of resources of the network of the organization, and whereinthe plurality of resources of the network of the organization comprisesat least one of: a computing device, an application, or a user account.3. The directory management system of claim 1: wherein the directoryscaling policy data further comprises a second directory scaling action,and wherein the second directory scaling action comprises replacing atleast a first domain controller of the one or more domain controllerswith a replacement domain controller, wherein the replacement domaincontroller comprises one of a domain controller with a larger amount ofcomputing resources than the first domain controller or a domaincontroller with a smaller amount of computing resources than the firstdomain controller.
 4. The directory management system of claim 1:wherein the directory scaling policy data further comprises a seconddirectory scaling action, and wherein the second directory scalingaction comprises removing a domain controller from the one or moredomain controllers.
 5. The directory management system of claim 1,wherein the directory management system is further configured to providedomain controllers for management of network directories of a pluralityof different organizations.
 6. A computer-implemented method comprising:as implemented by a directory management system comprising one or morecomputing devices, receiving directory scaling information from anorganization via a first network, wherein the directory scalinginformation indicates whether to scale a directory management systemassociated with a directory of the organization upon detection of anevent, wherein the directory comprises a directory of resourcesassociated with a second network separate from the first network, andwherein the directory management system comprises a first computingresource configured to manage use of the directory by at leastresponding to a security request, received via the first network, toperform at least one of authentication or authorization regarding aresource associated with the second network; monitoring one or moreoperating parameters of the directory management computing resource, theone or more operating parameters monitored at least partly to detect theevent; and in response to detecting the event: determining to separate ageographic area into a first portion and a second portion, wherein useof the directory within the geographic area is managed by the directorymanagement system; and adding, to the directory management system, asecond computing resource to manage use of the directory by devices inthe second portion of the geographic area, wherein the first computingresource manages use of the directory by devices in the first portion ofthe geographic area.
 7. The computer-implemented method of claim 6,wherein the first computing resource comprises a domain controllerconfigured to at least respond to authentication requests using thedirectory.
 8. The computer-implemented method of claim 6: wherein thedirectory scaling information further indicates whether to perform asecond scaling action; wherein a first operating parameter of the one ormore operating parameters comprises at least one of: a number of objectsin the directory or a number of network connections associated with thedirectory; and] wherein performing the second scaling action comprisesmigrating management of the directory at least partly to a thirdcomputing resource of a different size than the first computing resourcein response to detecting the first operating parameter exceeding athreshold.
 9. The computer-implemented method of claim 8, whereinmigrating management of the directory comprises: selecting a targetdomain controller based at least partly on the directory scalinginformation; and using the target domain controller to manage thedirectory instead of a domain controller currently managing at leastpart of the directory.
 10. The computer-implemented method of claim 6,wherein the directory is used by two or more domain controllers locatedin two or more different directory management system zones in ageographic region.
 11. The computer-implemented method of claim 6,wherein the directory scaling information further indicates whether toperform a second scaling action, and wherein performing the secondscaling action comprises initiating use of an additional domaincontroller for the directory in a zone in which a domain controller iscurrently present for the directory.
 12. The computer-implemented methodof claim 6, wherein adding, to the directory management system, thesecond computing resource comprises initiating use of an additionaldomain controller for the directory.
 13. The computer-implemented methodof claim 6, wherein the directory comprises, for individual resources ofthe second network, at least one of: authentication information,authorization information, or attribute information.
 14. Thecomputer-implemented method of claim 6, wherein the security request forat least one of authentication or authorization regarding the resourceassociated with the second network comprises one of: a login requestcomprising a user account credential, or a request for permission toperform a task.
 15. Non-transitory computer-readable storage havingstored thereon executable instructions configured to cause one or morephysical computing devices of a directory management system to execute aprocess comprising: receiving, via a first network, directory scalinginformation regarding a directory of an organization, wherein thedirectory comprises a directory of resources associated with a secondnetwork different than the first network, wherein the directory scalinginformation indicates how to scale a directory management systemassociated with the directory, and wherein the directory managementsystem comprises a first computing resource configured to respond to asecurity request, received via the first network, to perform at leastone of authentication or authorization regarding a resource associatedwith the second network; determining to separate a geographic area intoa first portion and a second portion, wherein use of the directorywithin the geographic area is managed by the directory managementsystem; and adding, to the directory management system, a secondcomputing resource to manage use of the directory associated with thesecond portion of the geographic area, wherein the first computingresource manages use of the directory associated with the first portionof the geographic area.
 16. The non-transitory computer-readable storageof claim 15, wherein the process further comprises: monitoring one ormore operating parameters associated with the directory to detect anevent; wherein adding the second computing resource to the directorymanagement system is automatically performed in response to detectingthe event.
 17. The non-transitory computer-readable storage of claim 15,wherein the directory scaling information further indicates a scalingaction to be performed in response to an event, wherein performing thescaling action comprises replacing at least a first domain controllerfor the directory with a replacement domain controller, and wherein thereplacement domain controller comprises one of a domain controller witha larger amount of computing resources than the first domain controlleror a domain controller with a smaller amount of computing resources thanthe first domain controller.